lxc-user-nic: use common code from network.c

src/lxc/Makefile.am

@@ -223,7 +223,7 @@ lxc_kill_SOURCES = lxc_kill.c
 lxc_create_SOURCES = lxc_create.c
 lxc_snapshot_SOURCES = lxc_snapshot.c
 lxc_usernsexec_SOURCES = lxc_usernsexec.c
-lxc_user_nic_SOURCES = lxc_user_nic.c
+lxc_user_nic_SOURCES = lxc_user_nic.c network.c network.h
 
 install-exec-local: install-soPROGRAMS
 	mkdir -p $(DESTDIR)$(datadir)/lxc

src/lxc/conf.c

@@ -2583,47 +2583,6 @@ void lxc_rename_phys_nics_on_shutdown(struct lxc_conf *conf)
 	free(conf->saved_nics);
 }
 
-static int setup_private_host_hw_addr(char *veth1)
-{
-	struct ifreq ifr;
-	int err;
-	int sockfd;
-
-	process_lock();
-	sockfd = socket(AF_INET, SOCK_DGRAM, 0);
-	process_unlock();
-	if (sockfd < 0)
-		return -errno;
-
-	snprintf((char *)ifr.ifr_name, IFNAMSIZ, "%s", veth1);
-	err = ioctl(sockfd, SIOCGIFHWADDR, &ifr);
-	if (err < 0) {
-		process_lock();
-		close(sockfd);
-		process_unlock();
-		return -errno;
-	}
-
-	ifr.ifr_hwaddr.sa_data[0] = 0xfe;
-	err = ioctl(sockfd, SIOCSIFHWADDR, &ifr);
-	process_lock();
-	close(sockfd);
-	process_unlock();
-	if (err < 0)
-		return -errno;
-
-	DEBUG("mac address of host interface '%s' changed to private "
-	      "%02x:%02x:%02x:%02x:%02x:%02x", veth1,
-	      ifr.ifr_hwaddr.sa_data[0] & 0xff,
-	      ifr.ifr_hwaddr.sa_data[1] & 0xff,
-	      ifr.ifr_hwaddr.sa_data[2] & 0xff,
-	      ifr.ifr_hwaddr.sa_data[3] & 0xff,
-	      ifr.ifr_hwaddr.sa_data[4] & 0xff,
-	      ifr.ifr_hwaddr.sa_data[5] & 0xff);
-
-	return 0;
-}
-
 static char *default_rootfs_mount = LXCROOTFSMOUNT;
 
 struct lxc_conf *lxc_conf_init(void)

src/lxc/lxc_user_nic.c

@@ -45,51 +45,9 @@
 #include <linux/rtnetlink.h>
 #include <linux/sockios.h>
 #include <sys/param.h>
-#include <sched.h>
 #include "config.h"
 #include "utils.h"
-
-#if ISTEST
-#define CONF_FILE "/tmp/lxc-usernet"
-#define DB_FILE "/tmp/nics"
-#else
-#define CONF_FILE LXC_USERNIC_CONF
-#define DB_FILE LXC_USERNIC_DB
-#endif
-
-#include "nl.h"
-
-#ifndef IFLA_LINKMODE
-#  define IFLA_LINKMODE 17
-#endif
-
-#ifndef IFLA_LINKINFO
-#  define IFLA_LINKINFO 18
-#endif
-
-#ifndef IFLA_NET_NS_PID
-#  define IFLA_NET_NS_PID 19
-#endif
-
-#ifndef IFLA_INFO_KIND
-# define IFLA_INFO_KIND 1
-#endif
-
-#ifndef IFLA_VLAN_ID
-# define IFLA_VLAN_ID 1
-#endif
-
-#ifndef IFLA_INFO_DATA
-#  define IFLA_INFO_DATA 2
-#endif
-
-#ifndef VETH_INFO_PEER
-# define VETH_INFO_PEER 1
-#endif
-
-#ifndef IFLA_MACVLAN_MODE
-# define IFLA_MACVLAN_MODE 1
-#endif
+#include "network.h"
 
 void usage(char *me, bool fail)
 {
@@ -146,14 +104,14 @@ static char *get_username(void)
  */
 static int get_alloted(char *me, char *intype, char *link)
 {
-	FILE *fin = fopen(CONF_FILE, "r");
+	FILE *fin = fopen(LXC_USERNIC_CONF, "r");
 	char *line = NULL;
 	char user[100], type[100], br[100];
 	size_t len = 0;
 	int n = -1, ret;
 
 	if (!fin) {
-		fprintf(stderr, "Failed to open %s: %s\n", CONF_FILE,
+		fprintf(stderr, "Failed to open %s: %s\n", LXC_USERNIC_CONF,
 			strerror(errno));
 		return -1;
 	}
@@ -229,11 +187,7 @@ static bool nic_exists(char *nic)
 	int ret;
 	struct stat sb;
 
-#if ISTEST
-	ret = snprintf(path, MAXPATHLEN, "/tmp/lxcnettest/%s", nic);
-#else
 	ret = snprintf(path, MAXPATHLEN, "/sys/class/net/%s", nic);
-#endif
 	if (ret < 0 || ret >= MAXPATHLEN) // should never happen!
 		return true;
 	ret = stat(path, &sb);
@@ -242,198 +196,6 @@ static bool nic_exists(char *nic)
 	return true;
 }
 
-struct link_req {
-	struct nlmsg nlmsg;
-	struct ifinfomsg ifinfomsg;
-};
-
-#if ! ISTEST
-
-static int lxc_veth_create(const char *name1, const char *name2)
-{
-	struct nl_handler nlh;
-	struct nlmsg *nlmsg = NULL, *answer = NULL;
-	struct link_req *link_req;
-	struct rtattr *nest1, *nest2, *nest3;
-	int len, err;
-
-	err = netlink_open(&nlh, NETLINK_ROUTE);
-	if (err)
-		return err;
-
-	err = -EINVAL;
-	len = strlen(name1);
-	if (len == 1 || len >= IFNAMSIZ)
-		goto out;
-
-	len = strlen(name2);
-	if (len == 1 || len >= IFNAMSIZ)
-		goto out;
-
-	err = -ENOMEM;
-	nlmsg = nlmsg_alloc(NLMSG_GOOD_SIZE);
-	if (!nlmsg)
-		goto out;
-
-	answer = nlmsg_alloc(NLMSG_GOOD_SIZE);
-	if (!answer)
-		goto out;
-
-	link_req = (struct link_req *)nlmsg;
-	link_req->ifinfomsg.ifi_family = AF_UNSPEC;
-	nlmsg->nlmsghdr.nlmsg_len = NLMSG_LENGTH(sizeof(struct ifinfomsg));
-	nlmsg->nlmsghdr.nlmsg_flags =
-		NLM_F_REQUEST|NLM_F_CREATE|NLM_F_EXCL|NLM_F_ACK;
-	nlmsg->nlmsghdr.nlmsg_type = RTM_NEWLINK;
-
-	err = -EINVAL;
-	nest1 = nla_begin_nested(nlmsg, IFLA_LINKINFO);
-	if (!nest1)
-		goto out;
-
-	if (nla_put_string(nlmsg, IFLA_INFO_KIND, "veth"))
-		goto out;
-
-	nest2 = nla_begin_nested(nlmsg, IFLA_INFO_DATA);
-	if (!nest2)
-		goto out;
-
-	nest3 = nla_begin_nested(nlmsg, VETH_INFO_PEER);
-	if (!nest3)
-		goto out;
-
-	nlmsg->nlmsghdr.nlmsg_len += sizeof(struct ifinfomsg);
-
-	if (nla_put_string(nlmsg, IFLA_IFNAME, name2))
-		goto out;
-
-	nla_end_nested(nlmsg, nest3);
-
-	nla_end_nested(nlmsg, nest2);
-
-	nla_end_nested(nlmsg, nest1);
-
-	if (nla_put_string(nlmsg, IFLA_IFNAME, name1))
-		goto out;
-
-	err = netlink_transaction(&nlh, nlmsg, answer);
-out:
-	netlink_close(&nlh);
-	nlmsg_free(answer);
-	nlmsg_free(nlmsg);
-	return err;
-}
-
-static int lxc_netdev_move(char *ifname, pid_t pid)
-{
-	struct nl_handler nlh;
-	struct nlmsg *nlmsg = NULL;
-	struct link_req *link_req;
-	int err, index;
-
-	index = if_nametoindex(ifname);
-	if (!ifname)
-		return -EINVAL;
-
-	err = netlink_open(&nlh, NETLINK_ROUTE);
-	if (err)
-		return err;
-
-	err = -ENOMEM;
-	nlmsg = nlmsg_alloc(NLMSG_GOOD_SIZE);
-	if (!nlmsg)
-		goto out;
-
-	link_req = (struct link_req *)nlmsg;
-	link_req->ifinfomsg.ifi_family = AF_UNSPEC;
-	link_req->ifinfomsg.ifi_index = index;
-	nlmsg->nlmsghdr.nlmsg_len = NLMSG_LENGTH(sizeof(struct ifinfomsg));
-	nlmsg->nlmsghdr.nlmsg_flags = NLM_F_REQUEST|NLM_F_ACK;
-	nlmsg->nlmsghdr.nlmsg_type = RTM_NEWLINK;
-
-	if (nla_put_u32(nlmsg, IFLA_NET_NS_PID, pid))
-		goto out;
-
-	err = netlink_transaction(&nlh, nlmsg, nlmsg);
-out:
-	netlink_close(&nlh);
-	nlmsg_free(nlmsg);
-	return err;
-}
-
-static int setup_private_host_hw_addr(char *veth1)
-{
-	struct ifreq ifr;
-	int err;
-	int sockfd;
-
-	sockfd = socket(AF_INET, SOCK_DGRAM, 0);
-	if (sockfd < 0)
-		return -errno;
-
-	snprintf((char *)ifr.ifr_name, IFNAMSIZ, "%s", veth1);
-	err = ioctl(sockfd, SIOCGIFHWADDR, &ifr);
-	if (err < 0) {
-		close(sockfd);
-		return -errno;
-	}
-
-	ifr.ifr_hwaddr.sa_data[0] = 0xfe;
-	err = ioctl(sockfd, SIOCSIFHWADDR, &ifr);
-	close(sockfd);
-	if (err < 0)
-		return -errno;
-
-	return 0;
-}
-
-static int netdev_set_flag(const char *name, int flag)
-{
-	struct nl_handler nlh;
-	struct nlmsg *nlmsg = NULL, *answer = NULL;
-	struct link_req *link_req;
-	int index, len, err;
-
-	err = netlink_open(&nlh, NETLINK_ROUTE);
-	if (err)
-		return err;
-
-	err = -EINVAL;
-	len = strlen(name);
-	if (len == 1 || len >= IFNAMSIZ)
-		goto out;
-
-	err = -ENOMEM;
-	nlmsg = nlmsg_alloc(NLMSG_GOOD_SIZE);
-	if (!nlmsg)
-		goto out;
-
-	answer = nlmsg_alloc(NLMSG_GOOD_SIZE);
-	if (!answer)
-		goto out;
-
-	err = -EINVAL;
-	index = if_nametoindex(name);
-	if (!index)
-		goto out;
-
-	link_req = (struct link_req *)nlmsg;
-	link_req->ifinfomsg.ifi_family = AF_UNSPEC;
-	link_req->ifinfomsg.ifi_index = index;
-	link_req->ifinfomsg.ifi_change |= IFF_UP;
-	link_req->ifinfomsg.ifi_flags |= flag;
-	nlmsg->nlmsghdr.nlmsg_len = NLMSG_LENGTH(sizeof(struct ifinfomsg));
-	nlmsg->nlmsghdr.nlmsg_flags = NLM_F_REQUEST|NLM_F_ACK;
-	nlmsg->nlmsghdr.nlmsg_type = RTM_NEWLINK;
-
-	err = netlink_transaction(&nlh, nlmsg, answer);
-out:
-	netlink_close(&nlh);
-	nlmsg_free(nlmsg);
-	nlmsg_free(answer);
-	return err;
-}
-
 static int instanciate_veth(char *n1, char **n2)
 {
 	int err;
@@ -463,99 +225,8 @@ static int instanciate_veth(char *n1, char **n2)
 	return netdev_set_flag(n1, IFF_UP);
 }
 
-static int lxc_bridge_attach(const char *bridge, const char *ifname)
-{
-	int fd, index, err;
-	struct ifreq ifr;
-
-	if (strlen(ifname) >= IFNAMSIZ)
-		return -EINVAL;
-
-	index = if_nametoindex(ifname);
-	if (!index)
-		return -EINVAL;
-
-	fd = socket(AF_INET, SOCK_STREAM, 0);
-	if (fd < 0)
-		return -errno;
-
-	strncpy(ifr.ifr_name, bridge, IFNAMSIZ-1);
-	ifr.ifr_name[IFNAMSIZ-1] = '\0';
-	ifr.ifr_ifindex = index;
-	err = ioctl(fd, SIOCBRADDIF, &ifr);
-	close(fd);
-	if (err)
-		err = -errno;
-
-	return err;
-}
-
-static int lxc_netdev_delete_by_index(int ifindex)
-{
-	struct nl_handler nlh;
-	struct nlmsg *nlmsg = NULL, *answer = NULL;
-	struct link_req *link_req;
-	int err;
-
-	err = netlink_open(&nlh, NETLINK_ROUTE);
-	if (err)
-		return err;
-
-	err = -ENOMEM;
-	nlmsg = nlmsg_alloc(NLMSG_GOOD_SIZE);
-	if (!nlmsg)
-		goto out;
-
-	answer = nlmsg_alloc(NLMSG_GOOD_SIZE);
-	if (!answer)
-		goto out;
-
-	link_req = (struct link_req *)nlmsg;
-	link_req->ifinfomsg.ifi_family = AF_UNSPEC;
-	link_req->ifinfomsg.ifi_index = ifindex;
-	nlmsg->nlmsghdr.nlmsg_len = NLMSG_LENGTH(sizeof(struct ifinfomsg));
-	nlmsg->nlmsghdr.nlmsg_flags = NLM_F_ACK|NLM_F_REQUEST;
-	nlmsg->nlmsghdr.nlmsg_type = RTM_DELLINK;
-
-	err = netlink_transaction(&nlh, nlmsg, answer);
-out:
-	netlink_close(&nlh);
-	nlmsg_free(answer);
-	nlmsg_free(nlmsg);
-	return err;
-}
-
-static int lxc_netdev_delete_by_name(const char *name)
-{
-	int index;
-
-	index = if_nametoindex(name);
-	if (!index)
-		return -EINVAL;
-
-	return lxc_netdev_delete_by_index(index);
-}
-#else
-static int lxc_netdev_delete_by_name(const char *name)
-{
-	char path[200];
-	sprintf(path, "/tmp/lxcnettest/%s", name);
-	return unlink(path);
-}
-
-#endif
-
 static bool create_nic(char *nic, char *br, int pid, char **cnic)
 {
-#if ISTEST
-	char path[200];
-	sprintf(path, "/tmp/lxcnettest/%s", nic);
-	int fd = open(path, O_RDWR|O_CREAT, S_IWUSR | S_IRUSR);
-	if (fd < 0)
-		return false;
-	close(fd);
-	return true;
-#else
 	char *veth1buf, *veth2buf;
 	veth1buf = alloca(IFNAMSIZ);
 	veth2buf = alloca(IFNAMSIZ);
@@ -580,7 +251,7 @@ static bool create_nic(char *nic, char *br, int pid, char **cnic)
 	}
 
 	/* pass veth2 to target netns */
-	ret = lxc_netdev_move(veth2buf, pid);
+	ret = lxc_netdev_move_by_name(veth2buf, pid);
 	if (ret < 0) {
 		fprintf(stderr, "Error moving %s to netns %d\n", veth2buf, pid);
 		goto out_del;
@@ -591,7 +262,6 @@ static bool create_nic(char *nic, char *br, int pid, char **cnic)
 out_del:
 	lxc_netdev_delete_by_name(veth1buf);
 	return false;
-#endif
 }
 
 /*
@@ -775,65 +445,6 @@ again:
 	goto again;
 }
 
-static int lxc_netdev_rename_by_index(int ifindex, const char *newname)
-{
-	struct nl_handler nlh;
-	struct nlmsg *nlmsg = NULL, *answer = NULL;
-	struct link_req *link_req;
-	int len, err;
-
-	err = netlink_open(&nlh, NETLINK_ROUTE);
-	if (err)
-		return err;
-
-	len = strlen(newname);
-	if (len == 1 || len >= IFNAMSIZ)
-		goto out;
-
-	err = -ENOMEM;
-	nlmsg = nlmsg_alloc(NLMSG_GOOD_SIZE);
-	if (!nlmsg)
-		goto out;
-
-	answer = nlmsg_alloc(NLMSG_GOOD_SIZE);
-	if (!answer)
-		goto out;
-
-	link_req = (struct link_req *)nlmsg;
-	link_req->ifinfomsg.ifi_family = AF_UNSPEC;
-	link_req->ifinfomsg.ifi_index = ifindex;
-	nlmsg->nlmsghdr.nlmsg_len = NLMSG_LENGTH(sizeof(struct ifinfomsg));
-	nlmsg->nlmsghdr.nlmsg_flags = NLM_F_ACK|NLM_F_REQUEST;
-	nlmsg->nlmsghdr.nlmsg_type = RTM_NEWLINK;
-
-	if (nla_put_string(nlmsg, IFLA_IFNAME, newname))
-		goto out;
-
-	err = netlink_transaction(&nlh, nlmsg, answer);
-out:
-	netlink_close(&nlh);
-	nlmsg_free(answer);
-	nlmsg_free(nlmsg);
-	return err;
-}
-
-static int lxc_netdev_rename_by_name(const char *oldname, const char *newname)
-{
-	int len, index;
-
-	len = strlen(oldname);
-	if (len == 1 || len >= IFNAMSIZ)
-		return -EINVAL;
-
-	index = if_nametoindex(oldname);
-	if (!index) {
-		fprintf(stderr, "Error getting ifindex for %s\n", oldname);
-		return -EINVAL;
-	}
-
-	return lxc_netdev_rename_by_index(index, newname);
-}
-
 static int rename_in_ns(int pid, char *oldname, char *newname)
 {
 	char nspath[MAXPATHLEN];
@@ -952,13 +563,13 @@ int main(int argc, char *argv[])
 		exit(1);
 	}
 
-	if (!create_db_dir(DB_FILE)) {
+	if (!create_db_dir(LXC_USERNIC_DB)) {
 		fprintf(stderr, "Failed to create directory for db file\n");
 		exit(1);
 	}
 
-	if ((fd = open_and_lock(DB_FILE)) < 0) {
-		fprintf(stderr, "Failed to lock %s\n", DB_FILE);
+	if ((fd = open_and_lock(LXC_USERNIC_DB)) < 0) {
+		fprintf(stderr, "Failed to lock %s\n", LXC_USERNIC_DB);
 		exit(1);
 	}
 

src/lxc/network.c

@@ -130,6 +130,17 @@ out:
 	return err;
 }
 
+int lxc_netdev_move_by_name(char *ifname, pid_t pid)
+{
+	int index;
+
+	index = if_nametoindex(ifname);
+	if (!ifname)
+		return -EINVAL;
+
+	return lxc_netdev_move_by_index(index, pid);
+}
+
 int lxc_netdev_delete_by_index(int ifindex)
 {
 	struct nl_handler nlh;
@@ -233,7 +244,7 @@ int lxc_netdev_rename_by_name(const char *oldname, const char *newname)
 	return lxc_netdev_rename_by_index(index, newname);
 }
 
-static int netdev_set_flag(const char *name, int flag)
+int netdev_set_flag(const char *name, int flag)
 {
 	struct nl_handler nlh;
 	struct nlmsg *nlmsg = NULL, *answer = NULL;
@@ -1036,3 +1047,35 @@ const char *lxc_net_type_to_str(int type)
 		return NULL;
 	return lxc_network_types[type];
 }
+
+int setup_private_host_hw_addr(char *veth1)
+{
+	struct ifreq ifr;
+	int err;
+	int sockfd;
+
+	process_lock();
+	sockfd = socket(AF_INET, SOCK_DGRAM, 0);
+	process_unlock();
+	if (sockfd < 0)
+		return -errno;
+
+	snprintf((char *)ifr.ifr_name, IFNAMSIZ, "%s", veth1);
+	err = ioctl(sockfd, SIOCGIFHWADDR, &ifr);
+	if (err < 0) {
+		process_lock();
+		close(sockfd);
+		process_unlock();
+		return -errno;
+	}
+
+	ifr.ifr_hwaddr.sa_data[0] = 0xfe;
+	err = ioctl(sockfd, SIOCSIFHWADDR, &ifr);
+	process_lock();
+	close(sockfd);
+	process_unlock();
+	if (err < 0)
+		return -errno;
+
+	return 0;
+}

src/lxc/network.h

@@ -32,6 +32,7 @@ extern int lxc_convert_mac(char *macaddr, struct sockaddr *sockaddr);
  * Move a device between namespaces
  */
 extern int lxc_netdev_move_by_index(int ifindex, pid_t pid);
+extern int lxc_netdev_move_by_name(char *ifname, pid_t pid);
 
 /*
  * Delete a network device
@@ -45,6 +46,8 @@ extern int lxc_netdev_delete_by_index(int ifindex);
 extern int lxc_netdev_rename_by_name(const char *oldname, const char *newname);
 extern int lxc_netdev_rename_by_index(int ifindex, const char *newname);
 
+extern int netdev_set_flag(const char *name, int flag);
+
 /*
  * Set the device network up or down
  */
@@ -123,4 +126,5 @@ extern int lxc_neigh_proxy_on(const char *name, int family);
 extern int lxc_neigh_proxy_off(const char *name, int family);
 
 extern const char *lxc_net_type_to_str(int type);
+extern int setup_private_host_hw_addr(char *veth1);
 #endif

src/tests/Makefile.am

@@ -15,8 +15,6 @@ lxc_test_lxcpath_SOURCES = lxcpath.c
 lxc_test_cgpath_SOURCES = cgpath.c
 lxc_test_clonetest_SOURCES = clonetest.c
 lxc_test_console_SOURCES = console.c
-lxc_usernic_test_SOURCES = ../lxc/lxc_user_nic.c ../lxc/nl.c
-lxc_usernic_test_CFLAGS = -DISTEST
 lxc_test_snapshot_SOURCES = snapshot.c
 lxc_test_concurrent_SOURCES = concurrent.c
 lxc_test_may_control_SOURCES = may_control.c
@@ -42,7 +40,7 @@ endif
 bin_PROGRAMS = lxc-test-containertests lxc-test-locktests lxc-test-startone \
 	lxc-test-destroytest lxc-test-saveconfig lxc-test-createtest \
 	lxc-test-shutdowntest lxc-test-get_item lxc-test-getkeys lxc-test-lxcpath \
-	lxc-test-cgpath lxc-test-clonetest lxc-test-console lxc-usernic-test \
+	lxc-test-cgpath lxc-test-clonetest lxc-test-console \
 	lxc-test-snapshot lxc-test-concurrent lxc-test-may-control \
 	lxc-test-reboot lxc-test-list lxc-test-attach
 

src/tests/lxc-test-usernic

@@ -21,47 +21,119 @@
 # License along with this library; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
 
-conffile="/tmp/lxc-usernet"
-dbfile="/tmp/nics"
-sysfsdir=/tmp/lxcnettest
+cleanup() {
+	sed -i '/usernic-user/d' /var/run/lxc/nics /etc/lxc/lxc-usernet
+	ifconfig usernic-br0 down
+	ifconfig usernic-br1 down
+	sudo brctl delbr usernic-br0
+	sudo brctl delbr usernic-br1
+	sudo deluser usernic-user
+	su -l usernic-user -c "lxc-stop -P /tmp/usernic-test/lxcbase -n b1"
+	rm -rf /tmp/usernic-test
+	exit $1
+}
 
-rm -f $conffile $dbfile
+# create a test user
+deluser usernic-user || true
+useradd usernic-user
+sudo mkdir -p /home/usernic-user
+sudo chown usernic-user /home/usernic-user
+usermod -v 910000-919999 -w 910000-919999 usernic-user
+mkdir -p /tmp/usernic-test/lxcbase
+chown usernic-user /tmp/usernic-test/lxcbase
+uid=$(id -u usernic-user)
+cat > /home/usernic-user/.bashrc << EOF
+export XDG_RUNTIME_DIR=/run/user/$uid
+EOF
+XDG_RUNTIME_DIR=/run/user/$uid
+export XDG_RUNTIME_DIR=/run/user/$uid
+mkdir -p /run/user/$uid
+chown usernic-user /run/user/$uid
+env
+echo XXX[
+su -l usernic-user -c "env"
+sleep 20
+
+#
+cat > /tmp/lxc-usernic.conf << EOF
+lxc.network.type = empty
+lxc.id_map = u 0 911000 10000
+lxc.id_map = g 0 911000 10000
+EOF
 
-rm -rf $sysfsdir
-mkdir -p $sysfsdir
+# Create two test bridges
 
-# there is no conffile, so we have no permissions
-lxc-usernic-test 1111 veth lxcbr0 > /dev/null 2>&1
+brctl addbr usernic-br0
+brctl addbr usernic-br1
+ifconfig usernic-br0 0.0.0.0 up
+ifconfig usernic-br1 0.0.0.0 up
+
+# Create three containers
+su -l usernic-user -c "lxc-create -P /tmp/usernic-test/lxcbase -t busybox -n b1 -f /tmp/lxc-usernic.conf"
+su -l usernic-user -c "lxc-start -P /tmp/usernic-test/lxcbase -n b1 -d"
+p1=`lxc-info -P /tmp/usernic-test/lxcbase -n b1 -p | awk -F: '{ print $2 }'`
+
+# Assign one veth, should fail as no allowed entries yet
+su -l usernic-user -c "lxc-user-nic $p1 veth usernic-br0 xx1"
 if [ $? -eq 0 ]; then
-	echo "Fail: empty conffile should not allow me a nic"
-	exit 1
+	echo "FAIL: able to create nic with no entries"
+	cleanup 1
 fi
 
-cat > $conffile << EOF
-$(id -un) veth lxcbr0 1
-EOF
+# Give him a quota of two
+echo "lxc-usernet veth usernic-br0 2" >> /etc/lxc/lxc-usernet
+
+# Assign one veth to second bridge, should fail
+su -l usernic-user -c "lxc-user-nic $p1 veth usernic-br1 xx1"
+if [ $? -eq 0 ]; then
+	echo "FAIL: able to create nic with no entries"
+	cleanup 1
+fi
 
-# Should be allowed one but not two
-lxc-usernic-test 1111 veth lxcbr0 > /dev/null 2>&1
+# Assign two veths, should succeed
+su -l usernic-user -c "lxc-user-nic $p1 veth usernic-br0 xx2"
+if [ $? -ne 0 ]; then
+	echo "FAIL: unable to create first nic"
+	cleanup 1
+fi
+su -l usernic-user -c "lxc-user-nic $p1 veth usernic-br0 xx3"
 if [ $? -ne 0 ]; then
-	echo "Failed to get one allowed nic"
-	exit 1
+	echo "FAIL: unable to create second nic"
+	cleanup 1
 fi
 
-lxc-usernic-test 1111 veth lxcbr0 > /dev/null 2>&1
+# Assign one more veth, should fail.
+su -l usernic-user -c "lxc-user-nic $p1 veth usernic-br0 xx4"
 if [ $? -eq 0 ]; then
-	echo "Fail: was able to get a second nic"
-	exit 1
+	echo "FAIL: able to create third nic"
+	cleanup 1
 fi
 
-# now remove the 'existing nic' and make sure we're allowed to create
-# a new one
-lxc-usernic-test 1111 veth lxcbr0 > /dev/null 2>&1
-rm -rf $sysfsdir
-mkdir -p $sysfsdir
+# Shut down and restart the container, should be able to assign more nics
+su -l usernic-user -c "lxc-stop -P /tmp/usernic-test/lxcbase -n b1"
+su -l usernic-user -c "lxc-start -P /tmp/usernic-test/lxcbase -n b1 -d"
+p1=`lxc-info -P /tmp/usernic-test/lxcbase -n b1 -p | awk -F: '{ print $2 }'`
+su -l usernic-user -c "lxc-user-nic $p1 veth usernic-br0 xx5"
 if [ $? -ne 0 ]; then
-	echo "Fail: was unable to get a replacement nic"
-	exit 1
+	echo "FAIL: unable to create nic after destroying the old"
+	cleanup 1
+fi
+
+su -l usernic-user -c "lxc-stop -P /tmp/usernic-test/lxcbase -n b1"
+
+# Create a root-owned ns
+lxc-create -t busybox -n usernic-c1
+lxc-start -n usernic-c1 -d
+p2=`lxc-info -n usernic-c1 -p | awk -F: '{ print $2}'`
+
+# assign veth to it - should fail
+su -l usernic-user -c "lxc-user-nic $p2 veth usernic-br0 xx6"
+ret=$?
+lxc-stop -n usernic-c1
+lxc-destroy -n usernic-c1
+if [ $ret -eq 0 ]; then
+	echo "FAIL: able to attach nic to root-owned container"
+	cleanup 1
 fi
 
 echo "All tests passed"